Have you heard the story about the foolish farmer’s new horse? The story goes that one day in early spring, a farmer’s horse dies. The farmer needs a horse to pull his plow, so he goes to market to buy a new horse. There he meets a neighbor who says, “I have a promising yearling [adolescent horse] that will be up for sale in a month or two. Why not wait? The yearling will be much stronger and healthier than some old nag you’d buy here.” The farmer agrees.
A few months go by, and on the way to bring the yearling to market, the neighbor tells the (still horseless) farmer, “I have a foal—born just this season—that will be the strongest and healthiest of all my animals. Much stronger than this yearling if you wait a few more months.”
The farmer once again agrees, and as the harvest time is coming to a close, the neighbor comes again, this time saying, “I’ve found a stallion that will surely sire the strongest line of horses this town has ever seen…” The farmer stops him and says not to bother because, “Without a horse, I could not till. Without tilling, I could not reap. Without reaping, I could not lay stores. And without laying stores, I won’t survive the winter.”
The point of this parable isn’t hard to understand. Specifically, while future opportunities are great, it does not matter if you are not handling the critical needs of today. It’s a balance between the advantages of what you might get in the future against the “opportunity cost” of taking action right now.
This is a useful principle for practitioners making risk decisions for their firms. For example, consider a new technology, new application or new business process. There’s often a temptation to focus almost exclusively on the new risks such changes might introduce. But what about the risks offset by that change? What about the business risks in failing to adopt (i.e., if we don’t adopt and our competitor does)? The holistic risk equation is more complicated than it might seem on the surface, and saying that something new is “risky” is really only accounting for one half of the equation.
Mobile Payment Opportunity Costs?
One noteworthy example of this phenomenon right now involves mobile payments. Specifically, we know that many technology professionals are extremely leery of mobile payments. ISACA’s 2015 Mobile Payment Security Study found only 23 percent of IT and security professionals believe mobile payments will keep information safe—which, let’s face it, is not exactly a vote of confidence.
It bears asking, though, how that compares to the alternative. Meaning, are there risks to mobile payment scenarios? Sure. Show me a technology without some risk and I’ll show you a technology that’s completely valueless. But even if there is risk, what is the opportunity cost? What do we miss out on by waiting for some future scenario that is even more locked down? And how does the risk of mobile payments compare, for example, to the physical and e-commerce transactions that you perform already using your physical card?
Is a mobile payment scenario riskier than, for example, handing your credit card to a waiter at a restaurant? Is it more likely to bring about fraud than using a “knuckle-buster” in a taxicab? Is it more or less likely for the card number to be stolen when making a mobile payment versus entering the card number into the web form at a merchant? In most situations—and for most frequently encountered types of fraud—the traditional payment scenario is arguably significantly less risky than the mobile one.
For example, the mechanisms used to protect a point-of-sale mobile payment (e.g., tokenization and encryption) might have some advantages; likewise, a lost/stolen mobile phone probably provides better protection of the cardholder data (where usually enhanced authentication such as a fingerprint or facial recognition is required to make a payment) compared to a scenario like a lost/stolen wallet.
In short, accounting for mobile payments from a holistic standpoint means understanding how the mobile payments themselves work, understanding what the risks associated with that usage are, and understanding how that usage might be applicable to the enterprise.
ISACA’s new white paper, Is Mobile the Winner in Payment Security?, tries to help practitioners do this. The paper outlines mobile payments from a practitioner point of view: going into potential risk areas, ways mobile payments can offset risks, and exploring business-enhancing value opportunities. Likewise, the document explores some possible controls that might bring about a value-add in light of mobile payments.
Ed Moyle, Director of Emerging Business and Technology, ISACA
[ISACA Now Blog]